One of the biggest lessons learned so far from last year's costly and embarrassing cyberattack on Sony Pictures Entertainment -- reportedly by North Korea -- is that it doesn't necessarily take large, expensive and sophisticated hacking teams to bring a major global corporation to its knees. And the number of hackers who can do so, whether they're acting independently or on behalf of hostile governments, is growing on a daily basis.
The hack on Sony Pictures last fall is believed to have been North Korea's retaliation for the studio's production of "The Interview," a Seth Rogen comedy depicting an assassination attempt on that country's "supreme leader," Kim Jong Un. The cyberattack used wiper malware to destroy information on the studio's networks, and then released a large number of files, including unreleased films, employee data and internal correspondence by executives.
Sony's public image suffered a black eye as hacker-released memos revealed executives making racist jokes about President Barack Obama and disparaging remarks about stars like Angelina Jolie. However, according to the company's most recent quarterly financial report, investigation and remediation costs related to the cyberattack have come in much lower than previously estimated, amounting to just $15 million as of December 31, 2014.
'Mopeds' vs. 'Fighter Jets'
In a "60 Minutes" program that aired Sunday, cybersecurity expert Jon Miller told correspondent Steve Kroft that the Sony attack was not very sophisticated and that there are many other would-be hackers out there capable of carrying out similar attacks.
"There are probably 3, 4, 5,000 people that could do that attack today . . . and the number is growing rapidly," said Miller, who is Vice President of Strategy for the Irvine, California-based cybersecurity firm Cylance. While such hackers are "mopeds" when compared to the U.S. surveillance community's "F-22 fighter jets," Miller said, "it does not take an overly sophisticated attack to compromise these huge global multinational brands."
The lesson learned from the Sony hack is that, "Bad guys don't have mercy," Cylance CEO, President and founder Stuart McClure, wrote Sunday in a blog post. He added, "If the attack had been even close to sophisticated, we might understand why it was successful. If it had dropped multiple [zero]-days like Stuxnet, or used a stolen private certificate to sign drivers, or even leveraged some advanced, previously unknown ninja techniques, then that might explain how the industry missed these attacks. But none of that happened in the Sony attack. The industry has no excuse."
'Who' Less Important than 'How'
Cylance's Chief Marketing Officer, Greg Fitzgerald, agreed. He told us that the Sony attack had multiple failings where both the corporation and the industry should have prevented it.
"First, it was malware (hacker software) that could have been detected and prevented. While some like to call it 'advanced,' the reality is that this type of attack has been experienced before and security vendors should have put in place ways to both identify it faster and provide a resolution quicker. Second, the cascading impact inside the organization for how to detect and respond was not solid. Each organization should have a clear crisis management plan," Fitzgerald said.
"Third, the past two years of highly public, successful cyberattacks has demonstrated that organizations of all types and industries are susceptible. The vendor industry is producing lots of 'alert' products for faster response. Yet, what the industry needs to provide is prevention technologies to make it harder for attacks to succeed," he said.
With both nation-state actors and individuals capable of conducting such attacks, "The matter of 'who' is much less important than 'how' attacks occur," Fitzgerald said. "It is very difficult to be accurate in the 'who' of cybersecurity today. Yet, the 'how' is actually very common and preventable. Attackers want the [path of least] resistance to entry. They often use easily available, open sourced code and previously used tactics to permeate today's cyber defenses. Organizations must think like attackers and work to stay one step ahead."
Cybersecurity expert Bruce Schneier told us that's increasingly difficult for many organizations to do. "What can Taco Bell do to prepare for invasion of a foreign country?" he asked. "Nothing. It's above their pay grade." The problem for most organizations in today's fast-evolving cybersecurity landscape is that "you're pawns in someone else's fight," he added.